[keycloak-user] Federated and Dynamic Users/Attributes

Andreas Tell andreas.tell+keycloak at callistaenterprise.se
Thu Nov 9 04:46:31 EST 2017


Hi!

In an upcoming system we aim to use Keycloak as a "OIDC/OAuth security
proxy/broker".

All information basically resides in other systems (federated);
* An external IdP provides ID federation via SAML v2
* Permissions are fetched dynamically each time the user authenticates from
an external system via a web service call. KC is not the system of record
for this information.

After the user is authenticated, the client (web app) retrieves the full
set of permissions info via the /userinfo endpoint by providing an Access
Token (resource owner credentials grant).

My first question is; is this approach at all advisable? Can it be done
using KC?
I got a clue from this ; https://stackoverflow.com/
questions/44014260/how-to-programmatically-assign-particular-roles-at-user-
registration-in-keycloak

If so I assume we'd have to extend KC using one of the SPIs.
The documentation on the SPIs don't give me much confidence on where to
best put such extensions.

Where would I put a web service call?
How can I dynamically assign roles and/or attributes to a provisioned user?

Should I use the Authentication SPI, User Federation SPI, User Storage SPI
or possibly piggyback on a callback event of Event Listener SPI ?



Best Regards
Andreas Tell


More information about the keycloak-user mailing list